TOCTOU Vulnerability in Containerd Affects Host Filesystem
CVE-2025-47290

7.6HIGH

Key Information:

Vendor

Containerd

Status
Containerd
Vendor
CVE Published:
20 May 2025

What is CVE-2025-47290?

A time-of-check to time-of-use (TOCTOU) vulnerability has been identified in the container runtime, Containerd, specifically in version 2.1.0. This vulnerability occurs during the unpacking process of container images pulled from repositories, allowing specially crafted images to make arbitrary modifications to the host filesystem. Users of Containerd are advised to upgrade to version 2.1.1, which addresses this issue. To mitigate risk, it is crucial to use only trusted images and restrict permissions to trusted users when importing images.

Affected Version(s)

containerd = 2.1.0

References

https://github.com/containerd/containerd/security/advisor...
x_refsource_CONFIRM
https://github.com/containerd/containerd/commit/cada13298...
x_refsource_MISC
https://github.com/containerd/containerd/releases/tag/v2.1.1
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.